The institutions that make up our global healthcare system also place their trust in cybersecurity measures and technology to keep their systems running and repelling the unceasing wave of attacks they face. We often hear about the institutions that succumb to cyberattacks, but we don’t read much about the institutions that have been successful at defending their digital perimeter, and ultimately protected their ability to treat and protect patients.

Why were some institutions successful and others not as much? What cybersecurity capabilities made the healthcare institution resilient from these attacks? As we covered in our previous post on how healthcare can strengthen its cybersecurity resilience, establishing visibility and antifragility practices are necessary to repel attackers and build trust in the security and reliability of the technology our global healthcare system relies on.

Building effective visibility

Building visibility into technology assets requires a structured approach. As mentioned in the first blog in this series, using a guide like the NIST Cybersecurity Framework (CSF) provides an important mental model we can use to get a clear picture of the strengths and weaknesses of an organization’s cybersecurity risk profile, and how it applies to the assets the organization seeks to protect.

Cybersecurity author and leader Sounil Yu’s book Cyber Defense Matrix provides an important interpretation of the NIST CSF framework that can help us better understand what visibility we have into technology assets and how they are protected. Visibility is about more than just seeing all assets we have all at once. It’s also about understanding which assets are mission-critical and must be protected at all costs versus which ones are perhaps important but less crucial overall. Without the right balance, we end up trying to protect everything while not protecting what matters enough. This is where structural awareness comes in.

Structural awareness, or the conscious understanding and state of an organization’s assets, is established as one implements controls captured in the NIST CSF functions Identify and Protect. These controls focus on identifying assets, their bill of materials, their creators, their dependencies on other assets, the protections and vulnerabilities they have, and the threats they face. While visibility helps create an accurate map of technology assets, structural awareness builds on that visibility and answers questions such as, ”What are the ways the threat actor could compromise that asset? What could be lost? How would it most likely happen? Would I know?”

Yu says that structural awareness is efficiently achieved with the help of automation, and is not as people-intensive as many practitioners, decision-makers, and executives might think. If a cyberattack is like an explosion, cybersecurity teams’ structural awareness helps them understand how the explosion could happen before (or ‘left of’) it goes ‘boom’.

It’s also important to remember that while structural awareness is related to situational awareness in some ways, they are different concepts. Situational awareness refers to mechanisms that are used to detect and respond to an event. Structural awareness mechanisms are ‘left of boom,’ or mechanisms that protect your assets so that events don’t happen.  The goal is to stay ‘left of boom’ and avoid being ‘right of boom’.  Being proactive in your protections and being ready to respond in either case is really important, nonetheless.

Thinking about assets in terms of users, devices, networks, applications and workloads and data (asset classes), and adopting mechanisms to discover assets of each type through visibility controls suggested by the NIST CSF, will lead to developing structural awareness. Structural awareness can help avoid the boom, but if the boom does happen, it can also help shape the situational awareness needed to react. The Cyber Defense Matrix is an ongoing project, and you can read more about it (and contribute to it) here.

Framing asset discovery for resilience

Cybersecurity teams must map out their organizations’ most critical healthcare services and systems that support them, but that’s easier said than done. Asset discovery can feel overwhelming. Trying to find, count, and audit the hardware, software, users, and data down to the component across even a small part of one’s technology footprint can feel like pushing a dead car up a steep hill. The way to make this easier is to prioritize this effort in the parts of the business where the impact of a quality or safety issue has the potential to create the most harm to the organization and those who depend on it.

A smart place to begin the process to find and evaluate the measurements that an institution uses to monitor those processes.

• Healthcare providers: Start with the quality and safety measurements which must be submitted to various regulatory agencies in order to maintain licenses to operate.
• Health insurers: Look at the performance improvement metrics used to ensure subscriber benefits, quality requirements, and legal mandates are being met.
• Health IT services: Use service level agreements for measuring contract compliance with things like uptime, recovery time and point objectives, and response turnarounds.
• Life sciences organizations: Begin with the relevant Good Practice definitions and the metrics used to monitor quality and safety levels of products and services.

When analyzing the types of technology unique to healthcare – like network-connected medical devices such as infusion pumps, implantable pacemakers, ventilators, EKG equipment, and MRI machines – it’s important to ask what are the immediate safety hazards if there was a cyberattack. Not sure how to answer that question? The International Medical Device Regulators Forum produced a risk categorization model that could be helpful in framing that response. Operational technology, like blood bank and sample refrigerators, climate control, air handling, infection control and pneumatic tube systems, may also be used to identify and prioritize inventory efforts.

Once priorities have been set, teams can begin gathering data on critical services, the owners of those services, the systems those owners rely on, and the technology itself.

Inventory tactics on Google Cloud

Building service-technology mapping is not a one-time exercise. Organizations should take the time to automate inventory creation and maintenance, so they can maintain an up-to-date view of all the items in their environment at any given time. This is especially for organizations that have highly dynamic environments.

Google Cloud provides best practices on discovering and cataloging assets in its Cloud Architecture Center. Implement controls found in the Identity and Protect categories using the NIST Framework & Google Cloud technical paper. Automation is your friend when building and maintaining a complete and accurate inventory. Google Cloud Asset Inventory and Security Command Center can be used to inventory a variety of resources running in Google Cloud. Cloud Build, Google Cloud’s CI/CD platform, implements SLSA 1 and provides a trustworthy audit of software artifacts deployed through a managed pipeline. Cloud DLP inventories and labels data stored on Google Cloud Storage and services like BigQuery.

Meanwhile, a number of Google Cloud Marketplace partners have solutions that can help build a comprehensive inventory, and innovation continues to improve our technological options. One emerging field of security technology, called attack surface management, helps discover previously-unknown assets. Finally, our next blog on resilience discusses how to use a software bill of materials (also known by the breezy acronym SBOM) to gain visibility and structural awareness into applications.

It’s important to remember that when starting down this path, the goal is not to gain 100% visibility into every single component on every single device attached to every network supporting every service running. Success or failure is not achieved when the inventory process has reached an arbitrarily-determined ‘percentage complete.’ We want to prioritize expanding visibility and developing structural awareness on assets where safety and quality are at risk, so we can improve their resilience.

And finally, we feel it’s important to emphasize that in the past, healthcare industries have focused mainly on protecting the confidentiality of data. While that’s important, we must evolve security programs beyond protecting confidentiality as its primary (and some cases, only) focus.

To be resilient, we must design and build cybersecurity capabilities that deliver safety, integrity, and availability of the technology that cares for patients directly. As we gain visibility into the technology we depend on to keep us healthy, we improve our understanding about which parts of it we can trust, and which parts we can’t. Improving visibility is an important early step on our path to resilience.